Re: 'a bare minimum would be forking'
> What do you do with your forked dependency's dependencies? You fork them too? And *their* dependencies? And their dependencies dependencies? And...
If you're working in a responsible manner, you need to do a license review of every dependency anyway, so you will be making a list of all dependencies anyway (including dependencies of dependencies etc) and can just fork all of them.
a) You don't have problems due to a server being down
b) You don't have problems due to someone pushing a bug or non-backward compatible change
c) You can check the licenses of all the software you're using, in case some dependency adds a new dependency with an unacceptable license
d) If something breaks, it's possible to answer the question "what changed".